Beyond Benchmarking, How Should Law and Corporate Compliance Intersect

  1. Beyond Benchmarking: How Should Law and Corporate Compliance Intersect? MICHELE DESTEFANO FOUNDER, LAWWITHOUTWALLS Associate Professor of Law, MiamiLaw Program on the Legal Profession 13 November 2012
  2. Corporations Around the Globe Are Facing a HUGE challenge 11/14/2012 DeStefano 3
  3. Despite the current freeze on legal expenditure corporations are having to invest HEAVILY in compliance ... 11/14/2012 DeStefano 4
  4. . . . in managing the legal risk of business 11/14/2012 DeStefano 5
  5. Questions?Questions?Questions? Where does legal How Is Compliance end and compliance Managed and by start? Whom? Who Should be Responsible for Compliance? And What about Ethics and Corporate Culture? 11/14/2012 DeStefano 6
  6. In large publicly traded corporations, *historically* the compliance department was part of the legal department ... Overseen or even run by the chief legal officer ... 11/14/2012 DeStefano 7
  7. In many respects, this is still true today 11/14/2012 DeStefano 8
  8. Many corporate practices, and mandates put compliance in the hands of lawyers . . . 11/14/2012 DeStefano 9
  9. Practice/Mandates/Guidelines ABA Task Force on 46% of ACCA survey Corporate Responsibility respondents claim recommended that that Compliance was general counsels ultimately overseen oversee compliance (with direct oversight by the GC or the GC by the Board) serves as the CCO MR 1.13 and SOX §307 puts the GC in role of whistle blower/gatekeeper 11/14/2012 DeStefano 10
  10. Recently, this has begun to . . . 11/14/2012 DeStefano 11
  11. Although the government (e.g., OIG of the SEC and the DHHS) does not *require* that corporations separate the compliance and legal functions ... 11/14/2012 DeStefano 12
  12. ... their unofficial stance is that they *should* 11/14/2012 DeStefano 13
  13. Indeed, the SEC and the DHHS have forced corporations that have misbehaved to do just that ... 11/14/2012 DeStefano 14
  14. To develop distinct Compliance Departments And designate a Chief Compliance Officer *that does NOT report to the GC/CLO* and that has direct access to the Board 11/14/2012 DeStefano 15
  15. Consider the following Four examples 11/14/2012 DeStefano 16
  16. 2004 – Medicaid Pricing Fraud 11/14/2012 DeStefano 17
  17. In its Corporate Integrity Agreement (CIA), Schering-Plough had to pay $293M, establish a hotline, revise corporate conduct code/training and designate a CCO to report directly to the CEO or President *and NOT the GC* with direct access to the Board 11/14/2012 DeStefano 18
  18. 2004 – Fraudulent Revenue Projection 11/14/2012 DeStefano 19
  19. In settlement, Quest agreed to pay $250M, and create a CCO position that would *report directly* to the CEO with direct access to the Board 11/14/2012 DeStefano 20
  20. 2009 – Illegal Promotion of Drug Uses 11/14/2012 DeStefano 21
  21. Pfizer paid $2.3 BILLION, plead guilty to a felony criminal violation, and signed a 5-year CIA mandating that it create a hotline, heighten training, And designate a CCO that would not be subordinate to the GC/CLO and would have direct access to the Board 11/14/2012 DeStefano 22
  22. 2010 – Insider Trading Investigation 11/14/2012 DeStefano 23
  23. To appease, the SEC created a “real” and singular compliance department with oversight by one designated CCO 11/14/2012 DeStefano 24
  24. In Sum, the reaction by the DDHS and SEC has been to 11/14/2012 DeStefano 25
  25. To emphasize the structure, management, policies, and programs around compliance 11/14/2012 DeStefano 26
  26. To demand that malfeasant corporations separate compliance from the legal department, 11/14/2012 DeStefano 27
  27. Designate a CCO that is not also the GC and does not report to the GC 11/14/2012 DeStefano 28
  28. And that has direct access to the Board Of Directors 11/14/2012 DeStefano 29
  29. This Reaction is Consistent with Recent Laws and Recommendations SECs Compliance Federal Sentencing Rule 2004 requiring Guidelines defining each SEC registered what is an effective investment compliance program company/advisor to and providing extra designate a CCO to credit for corporations oversee compliance that designate separate and report directly to CCOs with direct the Board reporting to the board Guidelines by Professional Associations (OIG/ILA) recommending the same 11/14/2012 DeStefano 30
  30. And more and more corporations seem to be following suit 11/14/2012 DeStefano 31
  31. Over the past few years, in the wake of corporate scandals that span industries e.g., pharma, insurance, financial services, health care, consumer products, 11/14/2012 DeStefano 32
  32. There appears to be an emerging trend 11/14/2012 DeStefano 33
  33. to separate the compliance function from the legal department and create new distinct compliance departments 11/14/2012 DeStefano 34
  34. compliance departments largely led and comprised of non-lawyers and non-practicing lawyers that report directly to the CEO and have direct access to the board 11/14/2012 DeStefano 35
  35. Why and Should This Be So? Why Have Organizations Adopted this new stance on the organizational structure of compliance? AND Is this Best Practice? 11/14/2012 DeStefano 36
  36. Questions?Questions?Questions? Do Inhouse Lawyers - when they work in the legal department - somehow impair ethics and compliance? 11/14/2012 DeStefano 37
  37. Questions?Questions?Questions? Are lawyers – acting as lawyers – less able to prevent, uncover, and stop malfeasance? 11/14/2012 DeStefano 38
  38. Questions?Questions?Questions? Does taking compliance out of the hands of practicing lawyers create the type of change that is needed to ensure a culture of compliance? Or are these new compliance departments just a formal solution to appease? 11/14/2012 DeStefano 39
  39. “ A number of the early mover companies that created compliance departments did so as part of resolving a major mishap or high profile problem -- so it was not necessarily a best practice. But after a number of major companies have done it over the years, it starts to look like a best practice. Once in that position, it becomes hard for a major corporation to explain why they don't need a compliance department.” (FGC-2) 11/14/2012 DeStefano 40
  40. Purpose: Explore 3 Questions (i) What is “compliance”? (ii) How is it managed, where is it currently housed in large, publicly traded corporations and why (iii) Who Should Oversee Compliance: What are the risks and benefits of having a distinct compliance function run by non- lawyers (or non-practicing lawyers) that report to the CEO/Board? 11/14/2012 DeStefano 41
  41. Research Methodology Stage 1 • 2007 - completed before meltdown • 40 brief interviews (avg. 8 min) with General Counsels of S&P 500 corps in banking, pharmaceutical, & petroleum 11/14/2012 DeStefano 42
  42. Research Methodology Stage 2 • 2010-present • 30-40 in-depth interviews (avg 60 min) with General Counsels and Chief Compliance Officers of large, publicly traded corporations • 6 industries: Pharmaceutical, Energy, Healthcare, Consumer Products, Financial Services, and Misc 11/14/2012 DeStefano 43
  43. Research Methodology Stage 2 Goals: 1. 30-40 interviews comprising of 2 to 3 companies per industry 2. 1 ex-GC in each industry 3. 1 lower level compliance manager in each industry 4. 1 to 2 nonpublic companies (GC and CCO) 5. 1 senior manager that works or used to work in compliance at the SEC, OIG 6. 1 to 2 compliance consultants/activists 11/14/2012 DeStefano 44
  44. Caveats 1. Sample size is very very low 2. Still in the process of coding some interviews 3. This study is not comprised of a random sample and is based on self-reports by senior executives which arguably have certain stories to tell 11/14/2012 DeStefano 45
  45. Key Findings to Date: Stage 2 Who Oversees Compliance? • GCs had ultimate responsibility for the compliance function for the majority of corporations interviewed – But the Compliance Department is considered distinct from the Legal Department – And the CCO has a dotted line to Board 11/14/2012 DeStefano 46
  46. Key Findings to Date: Stage 2 Who Oversees Compliance? • Where GC/CLO did not have ultimate oversight, generally compliance was overseen by a former in-house lawyer, often the deputy general counsel, that reports to the CEO with access to the board 11/14/2012 DeStefano 47
  47. Key Findings to Date: Stage 2 Who Oversees Compliance? • Compliance Departments are made up of a lot of lawyers 11/14/2012 DeStefano 48
  48. Key Findings To Date: Role of the CCO vs the GC? 11/14/2012 DeStefano 49
  49. Problem often faced by the CCO is the giving of legal advice ... Hard not to do given the nature and scope of the job and that often the CCO was trained as a lawyer 11/14/2012 DeStefano 50
  50. Role of the CCO vs the GC? Consensus Similarity Legal and Compliance Departments rely on legal expertise and have a shared goal to increase compliance with the law 11/14/2012 DeStefano 51
  51. Role of the CCO vs the GC? Consensus Distinction The CCO focuses on 1) building policies and procedures; 2) monitoring adherence; 3) training and educating employees on specific regulatory obligations; and, 4) testing employees on adherence. 11/14/2012 DeStefano 52
  52. Role of the CCO vs the GC? Claimed Distinction 1 Compliance Officers (vs. GC) care about preventing misconduct, neutral fact finding, acting in the interest of stakeholders, uncovering misconduct, ethics, and culture 53
  53. Role of the CCO vs the GC? Claimed Distinction 2 Compliance Officers have different reporting obligations, aren‟t acting as lawyers, and can‟t garner attorney-client privilege protection 54
  54. Role of the CCO vs the GC? Claimed Distinction 3 Compliance requires management know-how in training, HR matters, communications, auditing, and internal controls , While legal work Requires training in the law 55
  55. Role of the CCO vs the GC? Claimed Distinction 4 Lawyers tell you what the law says and are concerned with legal liability and vigorously defending the corporation at all costs 56
  56. Role of the CCO vs the GC? Claimed Distinction 5 The lawyers tell you whether you can do something, and compliance tells you whether you should 57
  57. Role of the CCO vs the GC? Typical Quote “The General Counsel‟s job is . . . to advise [the company and senior managers] of the legal risks but not initiate the conversation over what is the right thing to do – the General Counsel‟s job is more black and white.” 58
  58. But these distinctions appear to be a bit artificial 11/14/2012 DeStefano 59
  59. If you have a broad view of the role of the GC; If you believe (as many do) that the GC has or should have some gatekeeping responsibilities 11/14/2012 DeStefano 60
  60. If you think The GC should play the role of counselor in charge of corporate culture and ethics and the corporate conscience ... 11/14/2012 DeStefano 61
  61. Then these distinctions are a bit artificial 11/14/2012 DeStefano 62
  62. Many GC interviewees saw these distinctions in reverse 11/14/2012 DeStefano 63
  63. They claimed that the GC (as opposed to the CCO) is in charge of the ethics and corporate culture and that the CCOs can sometimes be seen as just . . . 11/14/2012 DeStefano 64
  64. Traffic Cops 11/14/2012 DeStefano 65
  65. So Perhaps it is the philosophy of the role that matters more than the titles and segmentations 11/14/2012 DeStefano 66
  66. A Typology of Roles: Not All CCOs are Alike 11/14/2012 DeStefano 67
  67. Automatan 11/14/2012 DeStefano 68
  68. Investigator 11/14/2012 DeStefano 69
  69. Mark Wahlberg: The Departed 11/14/2012 DeStefano 70
  70. Spy 11/14/2012 DeStefano 71
  71. Counselor 11/14/2012 DeStefano 72
  72. Counselor “I like to play the business card game with my CEO. Whenever there is a tough conversation around ethics and compliance and the law, I ask my CEO to take out his business card. I point out, as we look at the cards, that his card says „president, CEO, and chairman.” My card says „VP, GC, and counsel.” I explain that want to concentrate on the counsel part. My card gives me the right to counsel you and you can disregard it. But I get to say I told you so . . .” 11/14/2012 DeStefano 73
  73. Involved Parent 11/14/2012 DeStefano 74
  74. Business Bottom Liner 11/14/2012 DeStefano 75
  75. Scarecrow 11/14/2012 DeStefano 76
  76. Which Way Do We Go? 11/14/2012 DeStefano 77
  77. “Throughout the organization, we don‟t have someone named as a compliance officer – meaning that, if one person is in charge of compliance, nobody else has to worry about it.” (GC large petroleum company) 11/14/2012 DeStefano 78
  78. Given that there are so many different archetypes, perhaps the right Question is: 11/14/2012 DeStefano 79
  79. What are the risks and benefits of having the two Segregated departments? 11/14/2012 DeStefano 80
  80. Does segregation, in and of itself create specific negative repercussions or positive consequences? 11/14/2012 DeStefano 81
  81. Risks if Combined: Conflict of Interest 11/14/2012 DeStefano 82
  82. Risks if Combined: Shield of Secrecy 11/14/2012 DeStefano 83
  83. Risks if Separate: Turf Wars 11/14/2012 DeStefano 84
  84. Risks if Separate: Inefficiencies 11/14/2012 DeStefano 85
  85. Risks if Separate: Communication Issues & Loss of Shared Learnings 11/14/2012 DeStefano 86
  86. Unidentified Risks if Separate: Revival of the Legal Technician 11/14/2012 DeStefano 87
  87. Unidentified Risks if Separate: Decrease in Gatekeeping & Counselor Role 11/14/2012 DeStefano 88
  88. Unidentified Risks if Separate: Increase in Information Protected by the Attorney-Client Privilege 11/14/2012 DeStefano 89
  89. Unidentified Risks if Separate: Terminator CCOs 11/14/2012 DeStefano 90
  90. Unidentified Risks if Separate: Increase in the UPL 11/14/2012 DeStefano 91
  91. Unidentified Risks if Separate: Increase in the UPL “There is no such thing as a non-practicing lawyer – purely practical – if you are a lawyer you are a lawyer doesn‟t matter if licensed to practice law or not – people look at you as a lawyer and rely on you as it to dispense legal advice despite of title . . and therefore in my view I‟m a GC of company if one my lawyers screws up – I‟m responsible - - I can‟t say that‟s lawyer in compliance and I get by . . I think its functionally wrong . . but reasonable people can differ” 11/14/2012 DeStefano 92
  92. Unidentified Risks if Separate: Rise of the Law Consultant not bound by the MRPC 11/14/2012 DeStefano 93
  93. Unidentified Risks if Separate: Just Another Risk to be Managed 11/14/2012 DeStefano 94
  94. Unidentified Risks if Separate: Increase in Strict Liability? 11/14/2012 DeStefano 95
  95. Unidentified Risks if Separate: Just a Copy-Cat Move 11/14/2012 DeStefano 96
  96. But the only way to determine who should oversee compliance and whether the departments should be segregated, is to agree on what are the objectives ... 11/14/2012 DeStefano 97
  97. Are the objectives to increase the corporation‟s Compliance with the rule of law? 11/14/2012 DeStefano 98
  98. Are the objectives to increase the corporation‟s normative commitment to compliance? i.e., to establish a culture of compliance? 11/14/2012 DeStefano 99
  99. Or are the objectives to enhance the expectations society has of lawyers and their role as gatekeepers, counselors, keepers of the corporate conscience? 11/14/2012 DeStefano 100
  100. Arguably, the current trend/mandate applauds form over function and fails to deliver 11/14/2012 DeStefano 101
  101. Although it is true that the SEC has claimed it will assess whether a company has a “culture of compliance” 11/14/2012 DeStefano 102
  102. Recent Mandates by the government including the SEC do not appear to to be doing so. They do NOT even consider 11/14/2012 DeStefano 103
  103. The Importance of Collaboration to Effective Compliance & Culture 11/14/2012 DeStefano 104
  104. Instead they prize Independence and traditional notions of control OVER interdependency, embeddedness And collaboration 11/14/2012 DeStefano 105
  105. They emphasize the outward formal organizational structures and programs ... as if they are proxies for effective compliance 11/14/2012 DeStefano 106
  106. The Org Chart 11/14/2012 DeStefano 107
  107. A Code of Conduct 11/14/2012 DeStefano 108
  108. Training Manuals & Programs 11/14/2012 DeStefano 109
  109. In order to find the critical gaps, the focus should be on the Internal: 1) How people interact 11/14/2012 DeStefano 110
  110. Informal Cultural Communication Norms 11/14/2012 DeStefano 111
  111. It is the hidden norms and social networks that impact the choices employees make NOT the public, formal, ethics programs, codes of conduct, and missions statements 11/14/2012 DeStefano 112
  112. Researchers agree that formal systems are the weakest link in the organization‟s ethical infrastructure and are typically far eclipsed by their informal counterparts 11/14/2012 DeStefano 113
  113. In order to find the critical gaps, the focus should be on the internal: 2) How people are motivated 11/14/2012 DeStefano 114
  114. Carrots? Or Sticks? 11/14/2012 DeStefano 115
  115. While it is true that many compliance functions are “route” or “check-the-box,” and malfeasance with these task is easy to uncover and compliance is easy to motivate 11/14/2012 DeStefano 116
  116. When the choice involves non-routine tasks and deliberation involving morals, ethics, personal preferences, malfeasance is much harder to control with carrots or sticks 11/14/2012 DeStefano 117
  117. Indeed, monetary incentives can take the good out of doing good; and If-then carrots or sticks neglect the ingredients of Genuine motivation 11/14/2012 DeStefano 118
  118. External or Internal 11/14/2012 DeStefano 119
  119. In order to find the critical gaps, the focus should be on the internal: 2) How people make ethical decisions 11/14/2012 DeStefano 120
  120. How Does Ethics Intersect with Compliance and the Law? 11/14/2012 DeStefano 121
  121. Compliance initiatives do not account for the reality that employees do not necessarily recognize a dilemma as an ethical one 11/14/2012 DeStefano 122
  122. Many Ethical Dilemmas Result from Blind Spots 11/14/2012 DeStefano 123
  123. ... Think Pinto ... Think The Challenger 11/14/2012 DeStefano 124
  124. Desensitization and Ethical Fading 11/14/2012 DeStefano 125
  125. Preliminary Conclusions: 1) large, publicly traded Corporations should not preemptively comply with the government‟s unofficial preference towards stand alone compliance departments 11/14/2012 DeStefano 126
  126. Preliminary Conclusions: 2) Instead of focusing on the outward form and structure of an organization or formal exemplifications of compliance, assessment should look inward, at the informal communication, value chains, and culture of the company 11/14/2012 DeStefano 127
  127. Preliminary Conclusions: 3) Bonus points should be given to those corporations that take an inward look at how work is actually being done and the networks and ethical culture that exists beneath and beyond the Org chart, the mission statement, and the code of conduct 11/14/2012 DeStefano 128
  128. Questions?Questions?Questions? Are lawyers better Is the culture of the able to run company determined compliance than by the tone at the nonlawyers? top? Or the tone at Should them middle? Compliance be separate from Legal? Is having a compliance department more important today than 5 years ago? 11/14/2012 DeStefano 129
  129. MICHELE DESTEFANO FOUNDER, LAWWITHOUTWALLS Associate Professor of Law, MiamiLaw 11/14/2012 DeStefano 130